Direction Centrale de la Sécurité des Systèmes d Information Smart Card Evaluation and Certification in France Thomas Bousson DCSSI
Summary Smart Card History Evaluation of Smart Card Smart Card Acquisition
The beginning of smart cards The inventions of the 70 s The applications in the 80 s
1973 Intel invents EPROM
1974 Mr. Moreno (Inovatron) invents and patents the first Memory Card
1978-1979 1979 In 1978 Mr. Ugon (Bull) invents and patents a the SPOM (Self Programmable One Chip Micro- Computer) The first Smart Card is issued in 1979 by Bull with a Motorola microchip
1980-1985 1985 In 1980, an organisation of French banks is created to use the smart cards as debit/credit cards and in 1985 the first Smart Card for Banking is issued.
1984 French Telecom organisation issues smart card for public phones 2 000 000 cards sold in 1986 6 000 000 cards sold in 1991
Smart Card and Security Smart cards are security oriented In 1986 what was the need of security? Smart card is a computing device that is a security key in a system 1993: First complete (hardware and software) smart card evaluation in France
Smart Card evaluation Smart Card Architecture and Life cycle Hardware evaluation Software evaluation Smart Card evaluation
Physical Architecture Micro-module Plastic Card with user s information
Physical Architecture Micro-module Micro-Contacts Micro-Chip
Physical Architecture Micro-module Micro-Contacts Micro-Chip Micro-Chip CPU EEPROM ROM RAM Microprossessor Memories
Logical organisation Micro-prossessor Memories CPU BUS EEPROM Data ROM Static Data Applications RAM Optional Code /Patches Operating System BUS
Logical view Optional Code /Patches Applications Operating System Data Static Data Software Micro-chip Hardware
Smart Card life cycle Software development Micro-chip design Static Data Database construction Photomask fabrication Patches Manufacturing Data Packaging Finishing process Personalisation End-usage
Smart Card security Requirements for the smart card Protect Data Protect program execution To be fulfilled by the combination of hardware and software
Smart Card evaluation Evaluate the whole at once Check the fulfilment of the requirements by the whole product Difficulties Different kind of developments to take in account 1 chip can be use for different Smart Cards application
Modular evaluation Principle: Evaluate Hardware Evaluate each Software with the hardware Benefits 1 evaluation per developer Reusability of Hardware evaluations for many software applications
Hardware evaluation Optional Code /Patches Data Applications Operating System Static Data Software CPU EEPROM ROM RAM Hardware
Hardware evaluation Software development Micro-chip design Static Data Patches Database construction Photomask fabrication Manufacturing Development Data Packaging Finishing process Usage Personalisation End-usage
Hardware evaluation Need of 1 hardware for different smart card products Software AB C Hardware A
Software evaluation Optional Code /Patches Data Applications Operating System Static Data Software CPU EEPROM ROM RAM Hardware
Software evaluation Software development Micro-chip design Database construction Static Data Photomask fabrication Development Patches Manufacturing Data Packaging Finishing process Usage Personalisation End-usage
Composition evaluation Give a global security assesment on Hardware & Software Evaluate the Hardware independently of the Software Evaluate the Software according to the Hardware evaluation results
Composition evaluation Software Evaluated? Hardware Evaluated
Composition evaluation Some pending questions: Does the Security Target of the Software takes in account the security of the Hardware? Are the security features of the Hardware part correctly used by the Software? Is the right Hardware used with the Software? Does the Software induces new vulnerabilities linked to the Hardware?
Composition activities in hardware PREMIER MINISTRE Secrétariat Général de la Défense Nationale Direction Centrale de la Sécurité des Systèmes d Information evaluation Hardware Evaluated ST -Lite Security Guidances Config. List ETR-Lite
Composition activities in hardware PREMIER MINISTRE Secrétariat Général de la Défense Nationale Direction Centrale de la Sécurité des Systèmes d Information evaluation Need of documentation to reuse evaluation results from the hardware: ST-lite States the limits of the hardware evaluation Gives the requirements fulfilled by the Hardware Security Guidance Gives the implementation recommendation to use the security features of the Hardware Configuration List Gives the traceability information for delivery of the correct Hardware ETR-lite for composition Gives the security characteristics of the Hardware in term of potential vulnerabilities or stress
Composite evaluation Software Evaluated Hardware Evaluated Evaluated ST -Lite Security Guidances Config. List ETR-Lite
Composite evaluation Evaluate that the Software takes correctly in account the Hardware characteristics Composite ST covers ST-lite Implementation (ADV_IMP) takes into account Hardware Security Guidance Composite product is build on correct configuration of the Hardware Vulnerabilities take in account both Hardware and Software
Comparing approaches Evaluation of 3 products based on same hardware Software A Software B Software C Hardware A Hardware A Hardware A
Complete products evaluations Smart Card A Smart Card B Smart Card C Software A Software B Software C Hardware A Hardware A Hardware A Evaluate Smart Card A Evaluate Smart Card A Evaluate Smart Card A Time/Costs
Composite products evaluations Smart Card A Smart Card B Smart Card C Software A Software B Software C Hardware A Hardware A Hardware A Evaluate Hardware A Evaluate Software A A Evaluate Software B B Evaluate Software C C Time/Costs
Comparing approaches Evaluate Smart Card A Evaluate Smart Card A Evaluate Smart Card A Evaluate Hardware A Evaluate Software A A Time/Costs Evaluate Software B B Evaluate Software C C
The JIL documentations Joint Interpretation Library Created to give interpretations on ITSEC (european criteria) Giving interpretation for European certification needs Documentation on smart card evaluation done in conjunction with Europe TB3 and ISCI (International Smartcard Certification Initiative) Proposed as CC-Supporting documents To be mandatory used in smart card evaluations
Smart Card evaluation guidance Audience: Evaluation sponsors Developers of smartcard products Content: Smart card terminology Roles in smart card evaluation Advice to prepare evaluation Evaluation work plan v1.2 February 2004
Requirement to perform PREMIER MINISTRE Secrétariat Général de la Défense Nationale Direction Centrale de la Sécurité des Systèmes d Information Integrated Circuits evaluations Audience: ITSEFs CBs for ITSEF licensing Content: Knowledge and skill required for IC evaluation Specific smart card attacks Necessary tools and equipment for ITSEFs Annex A: Examples for Smartcard Specific Attacks (v1.1 July 2003) v1.1 July 2003
Application of CC PREMIER MINISTRE Secrétariat Général de la Défense Nationale Direction Centrale de la Sécurité des Systèmes d Information to Integrated Circuits Audience: Manufacturers ITSEFs CBs Content: TOE scope for smartcard Threat model for smartcards Smartcard security objectives Vulnerability and test model v1.3 April 2000
Integrated Circuits Hardware PREMIER MINISTRE Secrétariat Général de la Défense Nationale Direction Centrale de la Sécurité des Systèmes d Information Evaluation Methodology Audience: Manufacturers ITSEFs CBs Content: Description of all components to EAL5 with a hardware specific understanding Calculating attack potential (chap 7) replaced by: Application of Attack Potential to Smartcards (v1.0 March 2002) v1.0 January 2000
ST-lite Audience: ST writers Content: Minimum requirements for public ST in the scope of CCRA v1.1 July 2002
ETR-lite for composition Audience: Product developers ITSEF Content: Rules for information sharing for re-use of IC evaluation results in smart card evaluation Annex A Composite Smartcard evaluation (v1.2 March 2002) v1.0 March 2002
Risk management Needs Smart Card is mostly a critical element of a system The Risk managers need: High confidence in smart card security Confidence through time Certificate is not for Marketing but to assess the security level
Risk management Offers The French Scheme offers High evaluation levels by specialised laboratories performing State-of-the-art attacks High requirements on licensing (hardware tools ) Harmonisation between laboratories Surveillance process to give periodical assessment on vulnerabilities To maintain the trust on the certificate level
Certified Smart Card in France Evaluation Levels Integrated Circuits Smart Card Products Smart Card Developers
Evaluation Levels EAL 4+ high resistance (AVA_VLA.4) Banking Health Cards EAL 1+ basic resistance (AVA_VLA.2) Small scaled limited trials
Certified SmartCard PREMIER MINISTRE Secrétariat Général de la Défense Nationale Direction Centrale de la Sécurité des Systèmes d Information Integrated Circuits STMicroelectronics 35 certificates on ST16, ST19 & ST22 Atmel 17 certificates on AT05SC & AT90SC Samsung 4 certificates on S3CC9 NEC 1 certificate on V-WAY 64 Infineon 2 certificates on SLE66CX
Certified SmartCard Products Credit Cards Electronic Purse Health Cards Telephone Cards Pay-TV Transportation Cards Tachygraph card Multiservice Cards 29 certificates 15 certificates 7 certificates 6 certificates 4 certificates 4 certificates 1 certificate 15 certificates
SmartCard Developers ASK Axalto CP8 Gemplus IBM Keycorp Mondex NTTData OberthurCS Sagem Schlumberger
Contact certification.dcssi@sgdn.pm.gouv.fr Certification Body SGDN/DCSSI 51, boulevard de la Tour-Maubourg 75700 Paris 07 SP France Tel: +33 1 71 75 82 65 Fax:+33 1 71 75 82 60 www.ssi.gouv.fr